Blog

The Conflict between LabMD and the FTC

The FTC charged LabMD with a failure to maintain proper cyber security for our patient records. In the final FTC order, the FTC stated that LabMD “did not employ basic risk management techniques and safeguards such as automated intrusion detection systems, file integrity monitoring software or penetration testing, and failed to monitor traffic coming across its firewalls. We knew these charges were false. We had our networks monitored electronically, rather than the FTC’s definition of “monitored”, which they believe should be a person watching files and data move across the network.

We had our log files on auto delete after 10 days, so there was no proof of whether we did or did not have any of these things, but this is where the regulators made things up. They didn’t think we had the proper precautions in place, so they charged us with not having them in place. We never got our day in court to rebut these charges, because we were always in their court answering their many inquiries.

It is very difficult to fight back when you’re always only on defense answering to the power of the Federal Government. And you’re all alone.

If It Bleeds, It Leads. But If Not…

When you’re not famous or you’re not a Fortune 500 company, the media simply ignores you, and they don’t do any investigative work. If it’s not a front page story, you won’t get any media coverage. This lack of reporting was a constant problem because when you say “we didn’t do it”, they might report it, but they don’t believe you and neither does anyone else.

Your name is tarnished based on allegations made by the Federal Government, rather than proof that you did anything wrong. You are, by definition in the court of public opinion, guilty until proven innocent.

The Final Word in Our Favor: Too Late

After 8 years, the 11th circuit came out with their written ruling, but who reads court rulings except for those directly impacted? Furthermore, who reads the most important part of the ruling when it is in the Footnotes of the ruling? Below are the two footnotes from our victorious ruling over the FTC:

The record is not clear but we assume the billing manager installed the peer to peer sharing app on her workstation computer.

Nobody Challenges the Federal Government

The truth was finally printed, ten years after the FTC began its systematic destruction of the company called LabMD. Federal regulators had lied and exploited our company. It was in the record – pictures of everything as proof of our actual policies and practices – but nobody reads the record. Nobody doubts the government. They just report what the government says, and the government agencies know this.

So, when the FTC judge says we had the proper systems, policies, and procedures in place, the FTC commissioners overturned it, and said the opposite, when it was all there all the time, in black and white, on the record.

It took years to get the court to say it. Meanwhile LabMD’s reputation is trashed and market doubt is created, while the lawyers make money off of the conflict. Nobody is paying attention any longer because it’s been 10 years, but we were right: we had all the policies, practices, and procedures that the government said we did not have.

LabMD was destroyed based on the false accusations of a Federal Government Agency.

Turning Point USA’s 4th annual Student Action Summit will be held December 19-22nd, 2018 in West Palm Beach, FL. 5,000 student activists between the ages of 15 and 25 will be invited to attend. Students who attend this retreat will hear from guest speakers, receive first-class activism and leadership training, and participate in a series of networking events with political leaders and top-tier activist organizations. Be part of the largest gathering of young, conservative students!

Student Tickets

At the bottom of this page is the student attendee application form. Upon receiving an invitation to the Summit, attendees will be able to purchase a $30 admission ticket with a heavily subsidized purchase of a hotel room. This includes three (3) nights of on-site lodging and admission to all general sessions and breakout sessions at the conference. Attendees are responsible for covering the cost of travel to/from West Palm Beach, FL and most meals during the conference. TPUSA will have several promotional events to advertise for our 2019 events. To purchase a ticket to one of the lunches, please click here.

Adult Tickets

If you are an adult, non-student, or parent wishing to attend our Student Action Summit, tickets are limited but we would love to have you! To purchase adult tickets follow the link provided here! All students please apply by filling out the application below. * Adult tickets only cover the cost of admission to the conference. TPUSA does not provide lodging or free meals with this ticket.*

VIP Adult Tickets

If you are an adult, non-student, or parent wishing to attend our Student Action Summit as a VIP, tickets are limited but we would love to have you! To purchase adult VIP tickets follow the link provided here! VIPs get special access to our SAS VIP Lounge and activities.

All students please apply by filling out the application below. We also have a limited number of student VIP tickets which are available to purchase upon acceptance.

The Student Action Summit is an invite-only event. Interested attendees must apply using the form below to receive an invitation to the Summit. TPUSA involvement is not required. If you’ve always wanted to be part of Turning Point USA, this is a great place to start!

The LabMD data security case is anything but dull. An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country. And last week, LabMD – the target of an FTC data security enforcement action – sued a prominent former federal prosecutor over charges of ethics violations and unsealed its False Claims Act lawsuit against a cybersecurity firm, accusing it of falsifying data breaches as a way of landing new business. Over the weekend, LabMD filed a federal lawsuit against the former U.S. Attorney for the Western District of Pennsylvania for alleged violations of the Ethics in Government Act. The 27-page complaint, filed in Manhattan, accuses Mary Beth Buchanan, now in private practice, of participating in the LabMD enforcement action as counsel to a whistleblower, Richard E. Wallace, even though – the complaint charges – she participated “personally and substantially” in the case while the U.S. Attorney.

The complaint alleges that, while the top federal prosecutor in Pittsburgh, Buchanan authorized the FBI “to install a dedicated DSL line in Wallace’s home office … to access and use FBI proprietary surveillance software and equipment to search and seize evidence from the computers of child pornographers.” LabMD claims that “Wallace used the FBI surveillance software … authorized by Buchanan …. to search for, access and download from a LabMD billing computer … a 1,718-page LabMD file containing confidential health information.” That file is the basis of the FTC’s data security enforcement action against LabMD. Wallace was then the director of special operations for Tiversa Inc., a cybersecurity forensics firm.

The LabMD complaint further alleges that Buchanan was eventually retained by Wallace to represent him in the FTC action and the former U.S. attorney and her firm “direct[ed] Wallace not to testify about his prior work with Buchanan, and in particular, not to disclose his use of the FBI surveillance software and equipment authorized by Buchanan to hack into and take from a computer … a [LabMD] file containing confidential information on over 9,000 patients.”

The Ethics in Government Act – passed after the Watergate scandal – places restrictions on former government officials and either prohibits or restricts their participation in matters in which they were involved while in the government.

The LabMD case dates back to 2010 when the Commission began investigating the Atlanta-based cancer detection lab’s data security practices. After years of back-and-forth, an administrative law judge eventually tossed out the FTC’s case. The Commission reversed and reinstated the case. LabMD appealed to the U.S. Court of Appeals for the Eleventh Circuit. The matter was argued last year and a decision is expected soon. We have covered the LabMD case extensively on this blog.

Earlier last week, LabMD’s False Claims Act lawsuit against cybersecurity firm Tiversa was unsealed in New York federal court. The complaint accuses Tiversa of faking data breaches to lure in new clients including the U.S. government. Tiversa engaged in a scheme to defraud the United States Government out of “millions of dollars” by “fabricat[ing]” cybersecurity breaches in order to obtain lucrative federal contracts, according to the suit.

The complaint alleges that Tiversa searched “peer-to-peer” computer networks to locate and seize sensitive information from the federal government and used that information to falsely represent that there was a security breach when, in fact, it was easily remedied by removing the software from the infected computer. To incite urgency, Tiversa allegedly identified IP addresses of known criminals or locations where it would be perceived as problematic for the information to be found, and falsely claimed that it had found copies of the identified files at those addresses as well. According to the complaint, once Tiversa successfully induced the government entity into a contract, it continued to falsify alarming breaches in order to maintain the business relationship.

LabMD further contends that Tiversa employed the scheme on “public and private entities” nationwide, including the Department of Homeland Security, the Department of Defense and the Department of Education, to name only a few.

“It is a classic protection racket, updated for the digital age,” charges LabMD.

Mark Zuckerberg’s apologies notwithstanding, his social media creation is first and foremost a tool for gathering information about everybody

It has been a tough few months for Facebook CEO Mark Zuckerberg. He has gone from tipping his toe in the presidential waters to being hauled before Congress to defend his company’s privacy policy.

His company has hit troubled waters, some of which stem from a lack of understanding of how the company really operates — and others of which are completely of Zuckerberg’s own making.

Let’s be honest. If you put material on Facebook, you have lost control of it. The company vacuums users’ personal information and traffics it into the marketplace. Data have become currency, and America’s tech industry, led by Google and Facebook, are the Vanderbilts and Rockefellers of data information sales.

It should come as little surprise that the company, as Bloomberg reports, goes so far as to scan links and personal photos people send by Facebook’s messenger app.

Your information is what fuels its bottom line and the company is one of the largest and most powerful corporations in human history.

Zuckerberg’s initial response to the “crisis” is typical of the company and an example of what Rahm Emanuel said: “Never let a good crisis go to waste.” In response to congressional concerns about privacy, the company announced it would sever relationships with third-party data providers.

Facebook claims its action will tamp down on the information, but the truth is that it will monopolize the data the company has collected. If Congress allows this sleight of hand to happen, Facebook will emerge stronger and more powerful than ever before.

For conservatives, Facebook has become a chokehold on information. From Rare, a libertarian-leaning news and information platform, to RightWingNews.com, a long-standing place for conservative-leaning stories, a tweak of the Facebook’s algorithm was enough to limit traffic to their sites, which ultimately led to their demise.

The fear that the progressives who dominate the tech industry will use their platforms to punish conservatives is not conspiracy. It is a fact. Google tips the scales on search results by using the race-baiting and vehemently anti-GOP Southern Poverty Law Center.

Facebook has partnered with Snopes, the liberal “fact-checker,” to determine what is fake news. Twitter has banned conservatives with large followings while ignoring liberals who often call for President Donald Trump’s demise.

Recently, Zuckerberg added gasoline to the fire by telling Vox.com that his vision for the platform is not free speech but the creation of an independent “supreme court” that would determine what is acceptable speech.

“[O]ver the long-term, what I’d really like to get to is an independent appeal,” Zuckerberg said. “So maybe folks at Facebook make the first decision based on the community standards that are outlined, and then people can get a second opinion.

“You can imagine some sort of structure, almost like a supreme court, that is made up of independent folks who don’t work for Facebook, who ultimately make the final judgment call on what should be acceptable speech in a community that reflects the social norms and values of people all around the world.”

Over the last few days, Facebook has been rolling out some positive-sounding policies to provide Zuckerberg with some ammo before Congress, including giving users greater control over what information third-party apps can gather and bulk-delete capabilities for such apps.

Congress would be foolish to allow Zuckerberg to use the privacy issue to gain even greater control of the marketplace.

But the company isn’t changing much about the info it collects and use. Make no mistake about it: Facebook remains a data company. It can make rhetorical claims about protecting user privacy, but it profits, and profits mightily, from consumers’ information.

Congress would be foolish to allow Zuckerberg to use the privacy issue to gain even greater control of the marketplace, while allowing him to walk away from the upcoming hearing without addressing the elephant in the room. That’s the tech industry’s willingness to limit speech and information in a manner that discriminates against conservatives.

Yet, for a case with such potentially broad implications, it doesn’t involve a high-profile data breach with millions of protected healthcare records roaming freely in the digital ether. Nor does it involve a single instance of identity theft or untoward use of patient information.

In fact, it’s doubtful that there was even a data breach.

The FTC’s enforcement action against LabMD focuses on two incidents dating back a decade. In the first instance, the FTC complaint charged that a report with the names, birth dates and Social Security numbers for 9,000 patients was compromised. But the back story is more complicated. A cybersecurity firm soliciting LabMD’s business allegedly “discovered” the report on a peer-to-peer file sharing program installed on one computer in LabMD’s accounting department. The cybersecurity firm allegedly shared the report with the FTC. There’s no evidence, however, that the report was shared with anyone else.

The second instance – the FTC charged – was a document with sensitive patient information that ended up in the hands of identity thieves in California. Again, there’s no evidence that this second document was used for illicit purposes, nor it is clear how the report found its way to California.

At the heart of the appeal is the scope and reach of the FTC’s enforcement powers under Section 5 of the FTC Act and the trigger for an enforcement action, all hotly debated issues since the case started in 2010 and a powerful test of the Commission’s authority. Section 5 prohibits “unfair” acts or practices that “cause[] or is likely to cause substantial injury to consumers….”

After a three-year investigation, the agency filed an Administrative Complaint in 2013 alleging that LabMD failed to adequately protect patient medical data, and demanded that, as part of a settlement, it institute a comprehensive data security program and submit to third-party security audits for the next 20 years. LabMD rejected the settlement.

Round One: LabMD Wins Administrative FTC Trial

In a stinging 91-page ruling, the agency’s own chief administrative law judge, J. Michael Chappell, dismissed the case against LabMD on the grounds that the Commission failed to demonstrate that it was “likely” consumers had been substantially injured – as required by Section 5 – by the two alleged data security incidents. ALJ Chappell concluded that the FTC failed to show any proof whatsoever of actual consumer injury. He flatly rejected the FTC’s theory that a statistical or hypothetical risk of future harm was enough to find LabMD liable for unfair conduct under Section 5 of the FTC Act.

“To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft, would require unacceptable speculation and would vitiate the statutory requirements of ‘likely’ substantial consumer injury.”

Round Two: Commission Reverses ALJ

In its Opinion and Final Order, the Commission reversed the ALJ’s ruling and held that the “wrong” legal standard was applied and that the pertinent inquiry is whether the act or practice at issue posed a “significant risk” of injury to consumers.

“[C]ontrary to the ALJ’s holding that ‘likely to cause’ necessarily means that the injury was ‘probable,’” the Commission wrote, “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” The Commission concluded that Congress had entrusted it with protecting a broad range of consumer harms and “need not wait for consumers to suffer known harm at the hands of identity thieves” before taking action.

Round Three: Stay Tuned

In a 20-minute spirited oral argument on June 21, 2017, the Eleventh Circuit asked why the Commission didn’t simply use rulemaking instead of an enforcement action if its concern is the prevention of future incidents. As one member of the court observed during the hearing: “A tree fell and nobody heard it, that’s the case we have here.” To listen to the oral argument, click here.

Even before oral argument, the Eleventh Circuit signaled its discomfort with the FTC’s position that actual or likely consumer injury wasn’t required under Section 5. In a pre-appeal motion, the court noted that LabMD had “made a strong showing” that the agency’s legal interpretation of Section 5 may not be reasonable.

The Eleventh Circuit’s ruling – whenever and however decided – will have far-reaching implications. If the FTC prevails, the agency will likely have more discretion in defining the threshold for consumer harm under a Section 5 enforcement action; and, the agency’s consent decrees will be viewed a body of precedents indicating what data security practices are considered “unfair” by the Commission. But if LabMD wins, the enforcement bar will be raised – requiring more than just speculative or hypothetical consumer injury – to sustain an enforcement action.

The Devil Inside The Beltway

FTC Disclaimer

The Federal Trade Commission requires that I disclose any relationship I have between a product manufacturer or service provider when I write about a product or service. Michael Daugherty receives a small commission for purchases made via affiliate links on this site such as from Amazon. The above does not affect my opinion of those products and services. I am committed to providing helpful articles to my readers.